malwarewikiaorg-20200223-history
Michelangelo
Michelangelo is a DOS virus that was first discovered in February 4th, 1991. Payload Michelangelo was designed to infect DOS systems, but did not engage the operating system or make any OS calls. Michelangelo, like all boot sector viruses, basically operated at the BIOS level. Each year, the virus remained dormant until March 6th, the birthday of Renaissance artist Michelangelo. There is no reference to the artist in the virus, but due to the name and date of activation it is very likely that the virus writer intended Michelangelo to be referenced to the virus. Michelangelo is a variant of the already endemic Stoned virus. On March 6th, if the PC is an AT or a PS/2, the virus overwrites the first one hundred sectors of the hard disk with nulls. The virus assumes a geometry of 256 cylinders, 4 heads, 17 sectors per track. Although all the user's data would still be on the hard disk, it would be irretrievable for the average user. On hard disks, the virus moves the original master boot record to cylinder 0, head 0, sector 7. On floppy disks, if the disk is 360 KB, the virus moves the original boot sector to cylinder 0, head 1, sector 3. On other disks, the virus moves the original boot sector to cylinder 0, head 1, sector 14. *This is the last directory of the 1.2 MB disks. *This is the second-to-last directory of the 1.44 MB disks. *The directory does not exist on 720 KB disks. Although designed to infect DOS systems, the virus can easily disrupt other operating systems installed on the system since, like many viruses, the Michelangelo infects the master boot record of a hard drive. Once a system became infected, any floppy disk inserted into the system (and written to; in 1992 a PC system could not detect that a floppy had been inserted, so the virus could not infect the floppy until some access to the disk is made) becomes immediately infected as well. And because the virus spends most of its time dormant, activating only on March 6, it is conceivable that an infected computer could go for years without detection — as long as it wasn't booted on that date, while infected. The virus first came to widespread international attention in January 1992, when it was revealed that a few computer and software manufacturers had accidentally shipped products, for example Intel's LANSpool print server, infected with the virus. Although the infected machines numbered only in the hundreds, the resulting publicity spiraled into "expert" claims, partially lead by anti-virus company founder John McAfee, of thousands or even millions of computers infected by Michelangelo. However, on March 6th, 1992, only 10,000 to 20,000 cases of data loss were reported. In subsequent years, users were advised not to run PCs on March 6th, waiting until March 7th, or else reset the PC date to March 7th at some time on March 5th (to skip March 6th). Eventually, the news media lost interest, and the virus was quickly forgotten. Despite the scenario given above, in which an infected computer could evade detection for years, by 1997 no cases were being reported in the wild. Removal Use F-Prot or M-Disk/P. Media Category:DOS virus Category:DOS Category:Boot sector virus Category:Virus Category:Polymorphic virus